A new open source RPKI CA solution: NLnet Labs' Krill

• Previous message (by thread): Frontier dallas area ESP issues?
• Next message (by thread): A new open source RPKI CA solution: NLnet Labs' Krill
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear fellow network operators,

It appears Santa brought presents early this year! I'd like to draw
attention to the below forwarded message and provide my take on it.

Some of you represent organisations that interact with multiple RIRs,
and have concluded it can be challenging to figure out the RPKI ROA
provisioning process for each individual RIR and integrate those
different processes with your internal business process.

Every RIR provides their members with what is called a 'hosted' RPKI
service. The 'hosted' RPKI service means the RIRs offer web interfaces
which operators use to create & publish RPKI ROAs. However, the devil is
in de details: concepts such as 'who holds the private keys?' or the API
specification differ from RIR to RIR. In this context the differences
aren't necessarily good or bad, they are just different.

For many operators the RIR hosted model is excellent, but ... there also
is a class of users who would perhaps benefit from something more
'unified', and this is where Krill comes in!

The use case where Krill really shines is that you can ask your RIR to
delegate your resources to your Krill instance, and then build your
tooling to interact with just Krill (instead of building RIR-specific
software)!

To me the very existence of Krill is a sign of a maturing RPKI
ecosystem. If I stare deeply into my crystal ball I can already see the
rise of third-party hosted RPKI solutions for provisioning & monitoring
RPKI objects, or integrations with IPAM systems such as 6connect. I
believe these would be positive developments for the operational
Internet community.

In short: if RPKI is on your company's roadmap, give Krill a spin! :)

get the goods: https://github.com/NLnetLabs/krill
documentation: https://rpki.readthedocs.io/en/latest/krill/

Kind regards,

Job

----- Forwarded message from Alex Band <alex at nlnetlabs.nl> -----

Date: Tue, 3 Dec 2019 12:33:51 +0100
From: Alex Band <alex at nlnetlabs.nl>
To: rpki at nlnetlabs.nl
Subject: [RPKI] Krill 0.4.0 'The Krill Factor' released and running in
	production

Dear mailing list,

We are incredibly proud to introduce Krill 0.4.0 'The Krill Factor'. This
release is the culmination of one and a half years of designing, building,
testing and documenting our RPKI Certificate Authority (CA) and
Publication Server solution.

The first three releases of Krill were meant to test the implementation.
With Krill 0.4.0 'The Krill Factor', we are confident that the software
can be used reliably with all five Regional Internet Registries (RIRs) and
its Route Origin Authorisations (ROAs) are correctly validated by all
Relying Party software implementations. As a result, NLnet Labs is now
running Krill in production under the RIPE NCC parent CA.

With Krill 0.4.0 'The Krill Factor', operators can now generate and
publish RPKI cryptographic material themselves to authorise their BGP
announcements. It supports running RPKI under all five RIRs simultaneously
and transparently, so if you have IP address space in multiple regions you
can manage it as a single pool. Krill can also delegate to child
organisations or customers who, in turn, run their own CA. The built-in
publication server lets operators publish certificates and ROAs from their
own infrastructure. Alternatively, you can use a third party which offers
RPKI publication as a service. In short, all essential functions to run
RPKI yourself using Krill are now available.

Krill can be managed using a Command Line Interface (CLI), as well as an
Application Programming Interface (API). An optional web-based user
interface is currently being developed as a separate project, named
Lagosta. With Krill 0.4.0 'The Krill Factor' data storage and the API are
now stable, allowing for seamless updates going forward. This release
serves as a starting point for further development throughout 2020 and
beyond, where we will work on features such as high availability and
support for just-in-time authorisations integrated tightly with internal
routing management.

Starting with Krill 0.4.0 and Routinator 0.6.0 we are offering commercial
support for our RPKI software solutions, in case this is a requirement for
your organisation or if you want to support the future development of the
software. The service-level agreement (SLA) contract and security policy
is on par with our DNS software NSD and Unbound. End of support for the
software will be publicly announced two years in advance. Krill is
licensed under the Mozilla Public License 2.0. Routinator and all
libraries that are built to support the RPKI toolset are licensed under
the BSD 3-Clause License.

Once again, We would like to extend our gratitude to NIC.br, the RIPE NCC
Community Projects Fund, the Dutch National Cyber Security Centre and the
Mozilla Open Source Support Fund for financially supporting the
development of Krill, as well as our Relying Party software package
Routinator. In addition, our thanks go out to DigitalOcean for offering
their cloud infrastructure for our automated test platform, Fastly for
their CDN services, as well as Juniper, Cisco and Nokia for providing us
with virtual routers for testing. These organisations make it possible for
us to develop free, open source software in a sustainable way. Please
reach out to us if you want to join this effort.

On behalf of the NLnet Labs RPKI Team,
Alex
-- 
RPKI mailing list
RPKI at nlnetlabs.nl
https://www.nlnetlabs.nl/mailman/listinfo/rpki

----- End forwarded message -----

• Previous message (by thread): Frontier dallas area ESP issues?
• Next message (by thread): A new open source RPKI CA solution: NLnet Labs' Krill
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]